This server certificate is not signed by the CA keys – there is a chain of trust from the CA certificate, to the intermediate certificate that is used to sign the server certificate.

In this test, the server certificate is not signed by the CA you have downloaded and installed earlier. In this case, the CA signs another CA certificate, an intermediate certificate, that is used to sign the server certificate. This means that the server not only sends it’s own certificate to you when you connect, but also the intermediate certificate.

This is quite common for commercial CA certificates. The CA certificate has a long validity period, the intermediate can change more often and has a short expiry time.

A certificate chain of trust

In this case, the client needs to figure out the certificate chain from the CA certificate it already trusts to the intermediate signing certificate to the server certificate and trust the whole chain. You client should be able to successfully verify this chain and connect to this server.

Fork us on Github

All the tests, including keys and certificates, are available on Github.
https://github.com/edvinanet/tls-o-matic
That's also where you will find all the current tests while waiting for us to write documentation here.

What is TLS?

"The TLS protocol provides communications security
over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery."
From RFC 5446 that defines the current TLS - version 1.2. Wikipedia is also a good help in explaining TLS.